The editorial argues that frontier labs have published claims and benchmarks about AI-found vulnerabilities for nearly a year, but never the runnable scaffolding. By open-sourcing the harness itself and letting the model be the variable, Anthropic enables independent reproduction of methodology that was previously opaque.
The editorial highlights that Anthropic explicitly isn't claiming the harness finds zero-days on its own. The narrow, honest pitch — a reference implementation of loop logic, prompts, and tool definitions meant to be forked rather than run as-is — distinguishes it from the typical hype cycle around AI-assisted vuln discovery.
By submitting the raw GitHub repo to HN and driving it to 436 points and the front page, binyu's submission demonstrates that the developer community values orchestration code, prompt templates, and tool definitions on their own merits — without needing a flashy dashboard or hosted product to anchor the conversation.
Anthropic published `defending-code-reference-harness` on GitHub — an open-source reference implementation of the agent scaffolding it uses internally for AI-powered vulnerability discovery. The repo hit the Hacker News front page within hours and stayed there, accumulating 436 points on a single-source post. That's unusual for an infrastructure release with no flashy demo: there's no hosted dashboard, no API key flow, no SaaS. Just the orchestration code, the prompt templates, the tool definitions, and the loop logic.
The pitch is narrow and honest: this is the scaffolding, not the magic. Anthropic isn't claiming the harness itself finds zero-days. It's claiming that if you wire a capable model (their own, presumably, but the abstraction is provider-shaped) into a structured loop with code-reading tools, sandboxed execution, and the prompt patterns they've battle-tested, you can reproduce the methodology behind their internal security research. The reference implementation is meant to be forked, not run as-is.
The timing is notable. Frontier labs have been publishing increasingly aggressive claims about AI-assisted vulnerability discovery for the better part of a year — Google's Project Naptime, DeepMind's Big Sleep finding a real SQLite bug, OpenAI's quieter work in the space. Until now, none of them had shipped the actual harness. Blog posts, yes. Benchmarks, occasionally. The runnable code that produced the results? No.
The security community has been stuck in an uncomfortable position: every major lab claims its models can find real vulnerabilities, but the methodology is opaque. You either trust the writeup or you don't. Independent reproduction has been near-impossible because the scaffolding — the part that actually does the work — was treated as proprietary. Anthropic just collapsed that asymmetry by handing over the scaffolding and letting the model layer be the variable you control.
That's a bigger shift than it sounds. The prevailing wisdom in agent design has been that the prompt patterns, the tool call sequences, and the loop control are where the moat lives. Models are increasingly interchangeable; scaffolding is supposedly where the differentiation happens. By open-sourcing the scaffolding for one of the most commercially sensitive use cases — finding exploitable bugs in software — Anthropic is implicitly arguing that the moat isn't there either. The moat is the model, the eval data, and the institutional discipline to actually run this stuff at scale against your own infrastructure.
Compare this to the OSS-Fuzz lineage. Google's OSS-Fuzz has spent a decade running coverage-guided fuzzing against thousands of open-source projects, finding tens of thousands of bugs. The infrastructure is open, the corpus is shared, the methodology is documented. AI-assisted vuln discovery has been missing exactly that — a reference implementation that academic researchers, security firms, and bug-bounty hunters can fork without reverse-engineering a blog post. This repo is the first credible attempt to fill that gap from a frontier lab.
The community response on HN was unusually substantive for an Anthropic release. Practitioners pulled apart the prompt structures, debated whether the tool surface was minimal enough (some wanted fewer tools, arguing the model gets confused with too many), and compared the orchestration to existing patterns like SWE-agent and Aider. The recurring observation: the prompts are conservative and the loop is boring in a good way. No clever recursive self-reflection, no multi-agent orchestration theater. Read code, hypothesize, test, repeat.
If you run a security team, this is the cheapest credible starting point for in-house AI-assisted code review you're going to get. Fork the repo, swap in your preferred model provider, point it at a target codebase, and you have a baseline you can iterate against. The hard part was never writing the loop — it was knowing what prompts and tool definitions actually work in practice, and that's exactly what Anthropic just gave away.
For application engineers, the practical implication is more interesting than the security one. The harness is a working example of agent design that prioritizes legibility over cleverness. The prompts are short. The tool surface is small. The control flow is something you could trace in a debugger. If you've been trying to figure out what "good" agent scaffolding looks like for non-security tasks — code migration, test generation, dependency upgrades — this is closer to a canonical reference than anything LangChain or LlamaIndex has shipped. Read it before you build your own.
There's also a procurement angle. Vendors selling AI security products at six-figure ACVs now have to justify what their scaffolding does that this reference doesn't. Some will have genuine answers — proprietary corpora, integration with existing SIEM/CI workflows, compliance reporting. Many won't. Expect the next 90 days to surface which AI security startups are real engineering shops and which are reskinned wrappers around the same loop Anthropic just published.
The interesting second-order effect is what happens when academic security groups get hold of this. Independent reproduction of Anthropic's internal vuln-discovery claims is now possible in a way it wasn't a week ago, which means we're about to find out how much of the reported performance is the harness versus the model versus the targets. If the reproductions land close to the published results, frontier-lab claims about AI security work gain credibility everyone can audit. If they don't, we learn something more important: that the gap between "works in the lab" and "works in your repo" is wider than the marketing suggests.
I wonder how much this thing costs to run.https://github.com/anthropics/defending-code-reference-harne... says:> As a rough guideline, expect ~10K uncached input tokens/min and ~2K output tokens/min per agent. You can scale parallelism up to your account's ITPM
Anthropic realized security and safety are their main value prop compared to the competition. Either mythos or anything else since seem purpose built to streamline the messaging. It’s good, am not complaining, but i wonder how much this is intended to showcase what Claude can do over using it as is
They seem to be using this to advertise their "Claude Security" product which promises to find vulnerabilities in your software.This makes for a somewhat amusing set of product offerings given that according to Dario 90% of all software is being AI generated.Maybe next they can sell someth
>This repo is not maintained and is not accepting contributions.Hm :)
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.
The thing about things like this is that they're shop jigs. You can buy a crosscut sled if you really want to, but most woodworkers just make their own.It was a different situation 2 years ago, when there was significant cost to building your own harness (but then: you probably weren't doi